A good quality management system is one that suits the organisation exactly. Such a system 
requires time and effort to be developed, established, documented, maintained and improved. 


Contents 

Lecture Title 


1 Introduction to ISO 9000:2000 


2 ISO 9001:2000 overview; clause 4 

3 ISO 9001:2000; clauses 5 & 6 

4 ISO 9001:2000; clauses 7 & 8 

5 Processed-based quality management systems 


6 . Auditing for continual improvement 


7 Registration, certification and auditor competence 


8 Audits: definition, principles, programme management 


9 Audit planning 


10 Preparing for the on-site audit activities 


11 Conducting the audit 


12 Audit review 


13 Audit reporting and follow-up 


Lecture 1 

Introduction to ISO 9000:2000 


OBJECTIVES 

When you have completed this topic, you will be able to: 

explain the purpose and benefits of a quality management system; 

state the purpose and benefits of a certificated qms; 

be aware of the development and application of the ISO 9000:2000 family of standards; 

'*• explain the purpose, content and relationship of ISO 9000, ISO 9001, ISO 9004 and ISO 
19011; 

explain the difference between legal compliance and conformance with ISO standards; 
be aware of the definitions contained in ISO 9000; 
explain the process approach to management systems; 
explain the eight principles of quality management. 


KEY POINTS 

❖ The need for and benefits of a quality management system 

❖ Development of the quality management system standards 

❖ The ISO 9000:2000 family of standards 

❖ ISO 9000: fundamentals and vocabulary 

❖ Relationship between ISO 9001 and ISO 9004 

❖ Compatibility with other Standards 

❖ Legal compliance - ISO standards 

❖ The process approach 

❖ The quality management principles 


Lecture 1 

Introduction to ISO 9000:2000 


1. QUALITY MANAGEMENT SYSTEMS 

1.1. The need for formal quality management systems 

Customers demand products that meet their needs and expectations. These needs and 
expectations are usually expressed as specifications for the product and are generally referred 
to as “customer requirements”. 

Customer requirements may be set out in contracts by the customer or may be determined by 
the organisation. In either case, the customer ultimately decides whether or not the product is 
acceptable. Because customer needs and expectations are changing, organisations must 
continually improve their products and processes. 

Problems occur because of a failure to exercise control over processes or activities; that is a 
failure of management. 

1.2 The quality management system approach encourages organisations to: 

• Identify accurately customer needs and expectations; 

• define the processes that contribute to achieving products that meet customer 
requirements; 

• keep processes under control; 

• resolve quality problems. 


It is absolutely essential that everyone within the organisation recognises the overriding 
importance of meeting customer requirements and achieving product quality. Quality must not 
be allowed to suffer from the competing interests of the costs of production or service provision. 

To this extent, top management determine cultural attitudes but their commitment may not be 
enough. Top managers must participate in the development, implementation and improvement 
of the quality management system. 

1.4 The benefits of such a system include: 

• improved business planning; 

• greater quality awareness throughout the organisation; 

• improved communication; 

• higher customer satisfaction; 

• reduced costs of non-quality. 

An effective quality management system provides the organisation and its customers with the 
confidence that it is able to provide products that consistently meet requirements. 

1.5 The overall result is that there is greater control of processes and activities throughout the 
organisation. 

Provided the quality management system meets the requirements of ISO 9001, the system may 
be certificated or registered as a quality assured firm by an accredited agency (see Lecture 7). 


2. DEVELOPMENT OF THE ISO 9000 FAMILY OF STANDARDS 

2.1 Following a long history of piecemeal development, the first Quality Assurance Standard for 
non-military use was published in 1979 by the British Standards Institution (BSI) in three parts 
as BS 5750. In 1987, the International Organization for Standardization (ISO) published a 
series of International Standards based on BS 5750, the ISO 9000 family. These were amended 
in 1994 and the 2000 series represents a further revision. 

2.2 The ISO 9000:2000 family of standards, therefore, has been developed to enable organisations, of 

all types and sizes, to implement and operate effective quality management systems. 


3. THE ISO 9000:2000 FAMILY 

ISO 9000 Quality management systems - Fundamentals and vocabulary 

sets out the fundamentals of quality management systems and contains definitions of the terms 
used. 

ISO 9001 Quality management systems -requirements 

sets out the requirements for quality management systems for use where an organisation's 
capability to provide products and/or services that meet customers and applicable regulatory 
requirements needs to be demonstrated. 

ISO 9004 Quality management systems - guidelines on performance improvements 

provides guidance on quality management systems. The Guide contains information on the 
processes for continual improvement that contribute to the satisfaction of an organisation’s 
customers and interested parties. It is not a guide to implement ISO 9001. 


4. ISO 9000: Quality management systems - fundamentals and vocabulary 

4.1 This Standard contains definitions of the terms used in quality assurance and information on 
some of the fundamental issues addressed by the ISO 9000:2000 family of Standards. 

ISO 9000 attempts to provide clear explanations of the terms and issues used in quality 
management. 

The Standard is divided into two parts: 

• Fundamentals; 

• Vocabulary (terms and definitions). 

4.2 Fundamentals 

The section on fundamentals covers the “why” and “how” of quality management. It contains 
guidance on some requirements of ISO 9001. Subjects covered include: 
rationale for quality management systems 
the process approach; 
quality policy and objectives; 
role of top management; 
documentation; 
role of statistical techniques. 

4.3 Vocabulary 

The Section contains terms and definitions not defined elsewhere, and terms having a special 
meaning in quality management. The definitions are set out in such a way that a term may be 
replaced by its definition in other definitions. 

For example; 

The definition of Specification is: 

Document (3.7.2) stating requirements (3.1.2). 

By replacing the terms in bold with their definitions from the Standard; 'specification' may be 
defined as: 

Information and its supporting medium stating need or expectation that is stated, generally 
implied or obligatory. 

4.4 Appendix 1 contains some important definitions from ISO 9000:2000. 


5. RELATIONSHIP BETWEEN ISO 9001 AND 9004 

ISO 9001 is intended to be one of a consistent pair of quality management system standards, 
the other being ISO 9004. 

The two are designed to be used together, but may be used independently. They have different 
scopes, but similar structures. ISO 9001 sets out the requirements for a quality management 
system that may be used by organisations for certification or contractual purposes. The focus 
of ISO 9001 is towards continually improving the effectiveness of the quality management 
system in meeting customer requirements. 

ISO 9004 provides information to managers who wish to build on the requirements of ISO 9001 in 
the pursuit of continual improvement in performance, efficiency and effectiveness. It is not 
intended for certification or contractual use. 

As a consistent pair of Standards, ISO 9001 and ISO 9004 may be used to resolve problems 
that may arise in the understanding of audit systems or situations. 


6 COMPATIBILITY WITH OTHER STANDARDS 

The ISO 9000 family is intended to be compatible with other internationally recognised 
management system standards. 





00 00 


ISO 14001 Environmental management systems - Specification with guidance for use 

sets out the requirements for environmental management systems and contains guidance for the 
implementation of the requirements. 

OHSAS 18001 Occupational health and safety management systems - Specification 

sets out the specifications for an occupational health and safety management system standard 
against which management systems may be audited and certificated. 

ISO 19011 Guidelines on quality and/or environmental management systems auditing. 

Whilst ISO 19011 is only a guidance document, it does provide detailed information on the 
planning and implementation of effective auditing. This is vitally important to organisations 
carrying out audits of suppliers and to certification bodies. 

The intention is that these Standards together with ISO 9001 may be fully integrated into the 
one management system. 


7. LEGAL COMPLIANCE - ISO STANDARDS 

The progressive development of customer-driven standards and the increase in world-wide 
legislation involving environmental, health and safety is focusing organisations on developing 
integrated management systems to address legal requirements and process based 
management systems. 

Implementation of these systems alone will not bestow immunity from company liability or 
prosecution, but will significantly reduce the risks if the systems are maintained effectively. 

Auditors conducting audits on quality management systems and integrated management 
systems will have to be aware of the ISO standards and the legal requirements of the 
respective countries where they are conducting the audits. In this respect, there is significant 
difference between legal compliance and conformance with ISO standards. 

Where an organisation is not in compliance with legal requirements, the organisation may be 
liable to prosecution. If an organisation's quality management system is not in conformance 
with ISO 9001, third-party certification may be withdrawn but the organisation will not be liable 
to prosecution. 

Auditors conducting quality management system audits identify, by evidence, areas of 
conformance and nonconformance to ISO 9001 through their formal reporting system. Where 
there is evidence of nonconformance to legal requirements, it is advisable to bring this to the 
attention of the organisation management who then have the responsibility to take appropriate 
action through their environmental and/or their health and safety control systems. 

Where auditors are appropriately trained and conducting integrated management system 
audits, they are required to report both legal compliance and ISO conformance against the 
audit evidence. 

PROCESS APPROACH 

.1 For an organisation to function effectively, management has to identify and co-ordinate 
numerous linked activities. An activity that takes “inputs” and converts them to “outputs” can be 
considered as a “process”. Very often the output from one process becomes the input for 
another process. 

Thus, organisations may comprise a number of linked processes that need to be identified and 
managed. 

The process approach, therefore, is the systematic identification and management of these 
activities and the interactions between activities. 

Used properly, the process approach provides control over the processes, the links between 
processes, and the combination and interaction of processes. 

8.2 The process-approach emphasises the importance of: 

• the understanding and fulfilment of requirements; 

• need to consider processes in terms of added value; 

• obtaining results of process performance and effectiveness; 

• continual improvement of processes based on objective measures. 

8.3 The diagram ‘model of a process-based quality management system' sets out the structure and 
elements of a process as addressed by Clauses 4 to 8 of ISO 9001 (see Appendix 2). The 
model shows that customers play a significant role in defining requirements as inputs. 

8.4 The Process Approach is based upon the methodology known as Plan-Do-Check-Act (PDCA): 

Plan: 

The objectives and processes needed to meet customer requirements, consistent with the 
organisation’s policies, need to be planned and established; 

Do: 

The processes are implemented; 

Check: 

The process and products are monitored and measured against the policies, objectives and 
requirements for the product and the results are analysed and reported; 

Act: 

Actions are taken to continually improve process performance. 

This methodology is addressed explicitly within the clauses and requirements of ISO 9001:2000. 


9. QUALITY MANAGEMENT PRINCIPLES 

9.1 The ISO 9000:2000 family is based upon eight management principles. These have been 
developed for use by top management to lead the organisation towards improved performance. 
Top management may develop a business culture based upon the eight principles across the 
organisation. 

• Customer focused organisation 

The need to understand current and future customer needs, to meet customer requirements and 
exceed expectations is central to the Standard as a consistent theme throughout. This is based on 
the fact that organisations depend upon their customers. 

• Leadership 

This is leadership to meet objectives. The purpose of leadership is to ensure objectives, goals and 
targets of the organisation are fully met. Leaders establish unity of purpose and the direction of the 
organisation. They need to ensure that people are fully involved in achieving these objectives by 
creating the environment for them to do so. 

• Involvement of people 


Since the success of the organisation depends so much on the people employed, they need to be 
fully involved so that their abilities are used for the benefit of the organisation. 

• Process approach 

Results are achieved most effectively and efficiently when resources and activities are managed as 
a process. 

• System approach to management 

The effectiveness and efficiency of an organisation is improved by identifying, understanding and 
managing a system of interrelated processes needed to achieve objectives. 

• Continual improvement 

Continual improvement of the organisation’s overall business performance should be a permanent 
objective of any organisation. 

• Factual approach to decision-making 

Effective decisions are based on the analysis of data and information. 

• Mutually beneficial supplier relationships 

An organisation and its suppliers are interdependent and a mutually beneficial relationship 
enhances the ability of both to create value. 

These principles underpin the ISO 9000:2000 series of standards. 

Lecture 2 

ISO 9001:2000 overview 


OBJECTIVES 

When you have completed this topic, you will be able to: 
describe the structure of ISO 9001:2000 
understand the scope and application of ISO 9001:2000 
describe the basis on which exclusions from ISO 9001 may be possible; 
understand the requirements of ISO 9001:2000, Clause 4. 


KEY POINTS 

❖ The structure of ISO 9001: 2000 


❖ Scope of ISO 9001:2000 


❖ Application of ISO 9001:2000 


❖ General requirements 


❖ General documentation requirements 


Lecture 2 

ISO 9001:2000 overview 


1. The structure of ISO 9001:2000 

1.1 ISO 9001 comprises 8 Clauses: 

1. Scope 

2. Normative reference 

3. Terms and definitions 

4. Quality management system 

5. Management responsibility 

6 Resource management 

7 Product realization 

8 Measurement, analysis and improvement 

Each of these is divided into a number of sub-clauses containing specific requirements. 

1.2 Scope of ISO 9001 

ISO 9001 sets out the requirements for a quality management system where an organisation: 

• needs to demonstrate the ability to provide consistently, product that meets customer 
and applicable regulatory requirements 

and 

• aims to enhance customer satisfaction through the effective application of the system 
including processes for continual improvement and the assurance of conformity to 
customer and applicable regulatory requirements. 

1.3 Application of the Standard 

The requirements are generic and applicable to all organisations, regardless of type, size and 
product or service provided. 

Flowever, where any of the requirements cannot be applied “due to the nature of the 
organisation” these may be considered for exclusion. 

An organisation may only exclude requirements from Clause 7 of ISO 9001. 

The exclusion must not affect ability or responsibility to provide product or service that meets 
customer and applicable regulatory requirements. 

1.4 An organisation, therefore, has to define clearly which of its products or services are to be included 
within the scope of the quality management system. 

The organisation is not obliged to include within the scope of the quality management system 
every area, business process or product that it provides. Flowever, if an organisation chooses to 
limit the scope of the quality management system, this should be made clear in the Quality Manual 
and other publicly available documents to avoid confusing or misleading customers. 

For those products that are included in the scope of the quality management system, all 
requirements of ISO 9001:2000 have to be met, unless it can be demonstrated that certain 




requirements in Clause 7 (Product Realization) are not relevant to the particular situation of the 
organisation. 

The International Accreditation Forum (IAF) guidelines point out that Certification Bodies need 
to take particular care in defining the scope of certificates issued to ISO 9001:2000 and the 
application of the requirements of the Standard. 

1.5 It should be noted that exclusions do not apply only to entire clauses; there may be 
circumstances where only a portion of the requirements of one of the sub-clauses of Clause 7 of 
ISO 9001:2000 can be excluded. 

One example of such an exclusion might be where an organisation is currently registered 
against ISO 9002:1994 and has no involvement in design activities. 

The fact that a specific activity (such as design and development, or purchasing) is outsourced, 
or carried out by a different entity, is not in itself adequate justification for the exclusion of that 
activity from the quality management system. This is because overall responsibility for and/or 
co-ordination of that activity may remain with the organisation. 

In this case, the organisation must be able to demonstrate that there is sufficient control 
exercised by the organisation to ensure that the outsourced processes are performed according 
to the relevant requirements of ISO 9001:2000. The extent of this control will depend on the 
nature of the outsourced or subcontracted processes as part of the contractual agreement with 
the supplier. Clause 7.4 (Purchasing) must be used to monitor the output of these outsourced 
or subcontracted processes. 

1.6 Exclusions to ISO 9001:2000 that are not permissible include: 

a) where an organisation has simply discarded a requirement in Clause 7 as being irrelevant 
just because they do not want to do it; 

b) where an organisation excludes a requirement because they have not previously addressed it 
in their quality management system. The fact that they have not previously carried out the 
requirement does not mean that the requirement is not applicable to the organisation’s 
activities; 

c) where clauses from outside of Clause 7 have been excluded from the quality management 
system because regulatory bodies do not require them; 

d) where requirements in Clause 7 have been excluded that are not required by regulatory 
bodies but do affect the organisation's ability to meet customer requirements; 

e) where requirements in Clause 7 required by regulatory bodies have been excluded even 
though they do not affect the organisation’s ability to meet customer requirements; 

a) where clauses have been excluded from the quality management system without 
adequate justification in the Quality Manual. 

1.7 All exclusions need to be justified in the Quality Manual. 

1.8 Any exclusions that do not meet the criteria established in Clause 1.2 of ISO 9001:2000 would 
mean that conformity to ISO 9001:2000 may not be claimed. 


2. ISO 9001 REQUIREMENTS 

Appendix 3 shows the ISO 9001 clauses. 

The main points and meaning of Clauses 4.1 and 4.2 are summarised below. 

For ease of reference, the paragraph numbers follow the clause numbers of ISO 9001:2000. 


4. QUALITY MANAGEMENT SYSTEM 

4.1 General requirements 

The organisation is to establish, document, implement and maintain a quality management 
system and continually improve its effectiveness. 

To implement the system, the organisation must: 

a) identify the processes needed throughout the organisation; 

b) determine the sequence and interaction of processes; 

c) determine criteria and methods needed to ensure effective operation and control; 

d) ensure the availability of resources and information; 

e) monitor, measure and analyse the processes; 

f) implement actions necessary to achieve planned results and continual improvement. 

These processes are to be managed in accordance with the requirements of the Standard. 

The organisation is to control any outsourced processes and these controls are to be identified 
within the quality management system; in key processes, business plans and so on. 


4.2 Documentation requirements 
4.2.1 General 

The documentation must include: 

• documented statements of a quality policy and quality objectives; 

• a quality manual; 

• documented procedures required by the Standard; 

• documents required by the organisation to ensure the effective planning, operation and for 
the control of processes; 

• records required by the Standard. 

Documentation should be structured to fit: 

• the size of the organisation and type of activities; 

• complexity of the processes and their interaction; 

• competencies of personnel. 


4.2.2Quality Manual 

The Quality Manual must include: 

• the scope of the quality management system, including details of and justification for any 
exclusions; 

• documented procedures or references to them; 

• a description of the interaction between the processes included in the quality management 
system. 


4.2.3 Control of documents 

A documented procedures to control documents by: 


• approval prior to issue; 

• reviewing and updating as necessary; 

• changes and current revision status being identified; 

• relevant versions being available at point of use; 

• documents being legible and identifiable; 

• external documents being identified; 

• obsolete documents being prevented from unintended use. 

4.2.4Control of records 

A documented procedure to control records by: 
identification; 
storage; 
protection; 
retrieval; 
retention time; 
disposition. 

A list of records required by the Standard is set out in Appendix 4. 


Lecture 3 

ISO 9001:2000, CLAUSES 5 & 6 

OBJECTIVES 

When you have completed this topic, you will be able to: 

*■ understand the requirements of Clauses 5.1 - 5.6.3 

'»■ understand the requirements of Clauses 6.1 - 6.4 

KEY POINTS 

❖ Management commitment 

❖ Customer focus 

❖ Quality policy 

❖ Quality objectives 

❖ Quality management system planning 

❖ Responsibility and authority 

❖ Management representative 

❖ Internal communication 

❖ Management review 

❖ Fluman resources 

❖ Infrastructure 

❖ Work environment 

Lecture 3 

ISO 9001:2000, clauses 5 & 6 
1. ISO 9001 requirements 

The main points and meaning of Clauses 5 and 6 are summarised below. 

For ease of reference, the paragraph numbers follow the Clause numbers of ISO 9001:2000. 

5. MAN A GEM ENT RESPONSIBILITY 

5.1 Management commitment 

Top management must provide evidence of commitment to: 

• the development and implementation of the quality management system, and 

• continually improve its effectiveness by: 

communicating to the organisation the importance of meeting customer requirements; 

communicating to the organisation the importance of meeting statutory and regulatory 
requirements; 

establishing the quality policy; 

ensuring that quality objectives are established; 

conducting management reviews; 

ensuring the availability of resources. 

5.2 Customer focus 

Top management must ensure that customer requirements are: 
determined; 

met with the aim of enhancing customer satisfaction. 

5.3 Quality policy 

Top management shall ensure that the Quality Policy: 

• is appropriate; 

• includes a commitment to comply with requirements and continually improve the 
effectiveness of the quality management system; 

• provides a framework for establishing and reviewing quality objectives; 

• communicated and understood; 

• is reviewed for continuing suitability. 






supporting services such as transport, communication. 


5.4 Planning 

5.4.1 Quality objectives 

Top management to ensure that quality objectives are established at the relevant functions and 
levels within the organisation. 

The objectives must be measurable and consistent with the quality policy. 

Quality objectives are to include those needed to meet requirements for the product. 


5.4.2Quality management system planning 

Top management must ensure that: 

• the planning is carried out to meet quality objectives and the requirements in Clause 4.1; 

• the integrity of the system is maintained when changes to the system are planned and 
implemented. 

Management must implement quality planning for the activities and resources needed to satisfy 
the quality policy, objectives and requirements. 


6.4 Work environment 

Work environment to be determined and managed. 

Lecture 4 

ISO 9001:2000, CLAUSES 7 & 8 

OBJECTIVES 

When you have completed this topic, you will be able to: 

understand the requirements of Clauses 7.1 - 7.6 
'»■ understand the requirements of Clauses 8.1 - 8.5.3 


5.5 Responsibility, authority and communication 

5.5.1 Responsibility and authority 

Top management to ensure that responsibilities and authorities are defined and communicated 
within the organisation. 

5.5.2Management representative 

Management Representative is to: 

• ensure that processes are established, implemented and maintained; 

• report to top management on the performance and any need for improvement; 

• ensure the promotion of awareness of customer requirements throughout the organisation. 


5.5.3lnternal communication 

Top management to ensure communication takes place regarding the effectiveness of the quality 
management system. 


5.6 Management review 

5.6.1 General 

Review to: 

• be held at planned intervals, to ensure that the system’s continuing suitability, adequacy 
and effectiveness; 

• assess opportunities for improvement; 

• the need for changes to the system including the quality policy and quality objectives. 

5.6.2Review input 

Inputs to include information on: 

• results of audits; 

• customer feedback; 

• process performance and product conformity; 

• status of preventive and corrective actions; 

• follow-up actions from earlier management reviews; 

• changes that could affect the quality management system; 

• recommendations for improvement. 


5.6.3Review output 

Outputs to include decisions and actions related to: 

• improvements to the effectiveness of the system and processes; 

• improvement of product related to customer requirements; 

• resource needs. 


6. RESOURCE MANAGEMENT 

6.1 Provision of resources 

Resources to be determined and provided for: 

• implementing and maintaining the system and continually improving its effectiveness; 

• enhancing customer satisfaction by meeting customer requirements. 


6.2 Human resources 

6.2.1 General 

Personnel performing work affecting product quality to be competent on the basis of: 

- appropriate education; 

- training; 

skills and 

- experience. 

6.2.2 Competence, training and awareness 

The organisation must: 

• determine competencies; 

• provide training or other actions to satisfy competence needs; 

• evaluate the effectiveness of actions taken; 

• ensure awareness of the relevance and importance of activities and contribution to 
achievement of objectives; 

• maintain appropriate records of education, training, skills and 
experience. 

6.3 Infrastructure 

The infrastructure is to be determined, provided and maintained including, as applicable: 

• buildings, workspace and associated utilities; 


KEY POINTS 

❖ Planning the product realisation 

❖ Determination of requirements relating to the product 

❖ Review of requirements relating to the product 

❖ Customer communication 

❖ Design and development requirements 

❖ Purchasing 

❖ Production and service provision 

❖ Control of monitoring and measuring devices 

❖ Monitoring and measurement 

❖ Customer satisfaction 

❖ Internal audit 

❖ Monitoring and measurement of processes 

❖ Monitoring and measurement of product 

❖ Control of nonconforming product 

❖ Analysis of data 

❖ Continual improvement 

❖ Corrective action 

❖ Preventive action 


Lecture 4 

ISO 9001:2000, clauses 7 & 8 


1. ISO 9001 requirements 

The main points and meaning of Clauses 7 and 8 are summarised below. 

For ease of reference, the paragraph numbers follow the Clause numbers of ISO 9001:2000. 


7. PRODUCT REALIZA TION 

7.1 Planning of product realization 

Processes needed for product realisation are to be planned and developed. 

Planning product realisation to determine, as appropriate: 

• quality objectives and requirements for the product; 

• the need to establish processes, documents and provide resources specific to the product; 

• required verification, validation, monitoring, inspection and test activities specific to the 
product and the criteria for product acceptance; 

• records needed to provide evidence that the realisation processes and resulting product 
meet requirements. 

The output of the planning activity must be in a form that it suitable for the organisation’s method of 
operations, which may include the development and implementation of formal Quality Plans. 


7.2 Customer-related processes 

7.2.1 Determination of requirements related to the product 

The organisation is to determine: 

• requirements specified by the customer; 

• requirements not stated by the customer but necessary for specified or intended use, 
where known; 

• statutory and regulatory requirements; 

• additional requirements determined by the organisation. 


7.2.2 Review of requirements related to the product 

The organisation is to review the requirements related to the product before the commitment to 
supply. 

The purpose is to ensure that: 

• product requirements are defined; 

• differences resolved; 

• the organisation has the ability to meet defined requirements. 

The results of the review and actions are to be recorded. 

If requirements are changed, the relevant documents are to be amended and relevant personnel 
made aware of the changed requirements. 


7.2.3 Customer communication 

Effective arrangements for communication to customers must be determined and implemented in 
relation to: 

• product information; 

• enquiries, contracts or order handling, including amendments; 

• customer feedback, including customer complaints. 


process equipment, both hardware and software; 


7.3 Design and development 

7.3.1 Design and development planning 




The design and development of product to be planned and controlled: 
interfaces managed 

planning output updated as appropriate. 

The organisation to determine: 

any design and development changes; 

review, verify and validate appropriately at each stage; 

responsibilities and authorities. 


7.3.1 Design and development inputs 

Inputs relating to product requirements must be determined and recorded. 

Inputs are now to include: 

• functional and performance requirements; 

• applicable statutory and regulatory requirements; 

• information derived from similar previous designs. 

Inputs to be reviewed for adequacy. 

7.3.2 Design and development outputs 

Outputs are to: 

• be in a form suitable for verification: 

• meet input requirements; 

• provide appropriate information for purchasing, production and service provision; 

• contain or reference product acceptance criteria; 

• specify characteristics for safe and proper use. 

7.3.4 Design and development review 

Review is take place at suitable stages to: 

• evaluate the ability to meet requirements; 

• identify problems and propose necessary actions. 


7.3.5 Design and development verification 

To ensure that outputs satisfy inputs. 


7.3.6 Design and development validation 

Validation to ensure that product is capable of meeting requirements for use. 

Where practical: 

• validation is to be completed prior to the delivery or implementation of the product. 

7.3.7 Control of design and development changes 

Changes to be identified, reviewed, verified and validated as appropriate; 

• evaluation of changes to include effect of changes on constituent parts and delivered 
product. 


7.4 Purchasing 

7.4.1 Purchasing process 

Controlled to ensure purchased product conforms to requirements. The type of control over 
suppliers to be to the extent necessary. 

Suppliers to be evaluated, selected on ability to supply products in accordance with 
requirements. Criteria for selection, evaluation, re-evaluation to be established. 

7.4.2 Purchasing information 

Information to describe the product to be purchased, including where appropriate: 

• requirements for approval of product, procedures, processes and equipment; 

• qualification of personnel; 

• quality management system requirements. 


7.4.3Verification of purchased product 

Inspection or other activities necessary for ensuring purchased product meets purchase 
requirements to be established and implemented. 

Verification activities and methods to be stated in purchasing release information when intended to 
be performed at the supplier’s premises. 


7.5 Production and service provision 

7.5.1 Control of production and service provision 

Production and service operations are to be controlled, as applicable, through: 

• information that describes the characteristics of the product; 

• the availability of work instructions; 

• the use of suitable equipment; 

• the availability and use of monitoring and measuring devices; 

• the implementation of monitoring and measurement, and 

• the implementation of release, delivery and post-delivery activities. 


7.5.2 Validation of processes for production and service provision 

Processes to be validated where the resulting output cannot be verified by subsequent 
monitoring or measurement. 

Arrangements to include, as applicable: 
defined criteria for review and approval; 
approval of equipment and qualification for personnel; 
use of specific methods and procedures. 


7.5.3 Identification and traceability 

Where appropriate, product to be identified by suitable means. 

Product status to be identified; 

Where traceability is a requirement, the organisation to control unique identification of product. 


7.5.4 Customer property 

Customer property to be identified, verified, protected, and safeguarded. This may include 
intellectual property. 


7.5.5 Preservation of product 

Product conformity to be preserved during processing and delivery. This includes identification, 
handling, packaging, storage and protection. Applies to constituent parts of a product. 


7.6 Control of monitoring and measuring devices 

The organisation is to establish processes to ensure that monitoring and measurement is 
carried out in a manner that is consistent with the monitoring and measurement requirements. 

Where necessary to ensure valid results, measuring equipment is to be: 

• calibrated or verified at specified intervals or prior to use against measurement standards 
traceable to international or national standards; where no such standards exist, the basis 
for calibration to be recorded; 

• adjusted or re-adjusted as necessary; 

• identified to enable calibration status to be determined; 

• safeguarded from adjustments that would invalidate the measurement result; 

• protected from damage and deterioration. 

The organisation is to assess and record the validity of the previous measuring results when 
equipment is found not to conform to requirements. The organisation is to take appropriate 
action on the equipment and any product so affected. 

Computer software used for monitoring and measuring of specified requirements is to be 
confirmed to have the ability to satisfy the intended application prior to initial use and 
reconfirmed as necessary. 


8. MEASUREMENT, ANAL YSIS AND IMPROVEMENT 

8.1 General 

The organisation is to plan and implement the monitoring, measurement, analysis and 
improvement processes needed to: 

• demonstrate conformity of product; 

• ensure conformity of the quality management system; 

• continually improve the effectiveness of the quality management system; 

These are to include the determination of applicable methods including statistical techniques, 
and the extent of their use. 


8.2 Monitoring and measurement 
8.2.1 Customer satisfaction 

The organisation is to monitor information relating to customer perception as to whether the 
organisation has met customer requirements as one of the measurements of performance of the 
quality management system. 

The methods for obtaining and using this information are to be determined. 


8.2.2 Internal audit 

Internal audits are to determine whether the quality management system conforms: 

• to the planned arrangements; 

• to the requirements of the International Standard; 

• to quality management system requirements set up by the organisation, and 

• is effectively implemented and maintained. 

The Clause explicitly requires: 

• the planning of an audit programme considering the status and importance of the 
processes and areas being audited as well as results of previous audits; 

• audit criteria, scope, frequency and methods to be defined; 

• the selection of auditors and the conduct of auditors shall ensure objectivity and impartiality 
of the audit process. Auditors shall not audit their own work; 

• a documented procedure to define the responsibilities and requirements for planning and 
conducting audits, recording and reporting results. 


8.2.3 Monitoring and measurement of processes 

The organisation must use suitable methods for monitoring and, where applicable, 
measurement of quality management system processes. 

These methods must demonstrate the ability of processes to achieve planned results. 

When planned results are not achieved, correction and corrective action shall be taken, as 
appropriate, to ensure conformity of the product. 


8.2.4Monitoring and measurement of product 

Product characteristics to be monitored and measured to verify that requirements have been 
met. 

This to be carried out at appropriate stages of the realisation process. 

Product release and service delivery not to proceed until planned arrangements have been 
satisfactorily completed unless otherwise approved by a relevant authority and, where 
applicable, customer. 


8.3 Control of nonconforming product 

Product which does not conform to requirements must be identified and controlled to prevent 
unintended use. Control, responsibilities and authorities to be defined in a documented procedure. 


8.4 Analysis of data 

Appropriate data is to be determined, collected and analysed to demonstrate the suitability and 
effectiveness of the quality management system and to evaluate where continual improvement 
can be made. 

This includes data generated by monitoring and measuring activities and other relevant 
sources. 

The data is to be analysed to provide information on: 

• customer satisfaction; 

• conformity to product requirements; 

• characteristics and trends of processes and products including opportunities for preventive 
action; 





suppliers. 


8.5 Improvement 

8.5.1 Continual improvement 

The organisation is to continually improve the effectiveness of the quality management system 
through the use of: 

• the quality policy; 

• quality objectives; 

• audit results; 

• analysis of data; 

• corrective and preventive action; 

• management review. 


8.5.2Corrective action 

Actions to eliminate the cause of nonconformities to be taken as appropriate. 

A documented procedure to define requirements for: 
reviewing nonconformities; 
determining the causes of nonconformities; 
evaluating the need for action to prevent recurrence; 
taking appropriate action; 
reviewing action. 


8.5.3Preventive action 

Action to be taken to eliminate the causes of potential nonconformities and to prevent their 
occurrence. Preventive actions to be appropriate to the effects of potential problems. 

A documented procedures to define requirements for: 
determining potential nonconformities and causes; 
evaluating the need for action to prevent occurrence of nonconformities; 
determining and implementing actions needed; 
recording and reviewing preventive actions taken. 


Lecture 5 

Processed-based quality management 

SYSTEMS 

OBJECTIVES 

When you have completed this topic, you will be able to: 

understand the steps need to establishing a quality system; 

*■ understand the formulation of quality policy and quality objectives; 
be aware of the key components of a Quality Manual; 
be aware of the application qms documents; 
understand the purpose of quality plans and records; 
differentiate between documents and records; 

be aware of the development of electronic data systems and the implication for auditors; 
explain document control requirements; 
understand how to review quality system documents. 


KEY POINTS 

❖ Establishing a quality management system 

❖ Quality system documentation 

❖ Quality policy and objectives 

❖ Quality manual 

❖ Documented procedures 

❖ Other documents 

❖ Quality plans 

❖ Records 

❖ Electronic data systems 

❖ Control of documents and records 

❖ Document evaluation 

Lecture 5 

Processed-based quality management systems 


1. INTRODUCTION 

Lecture 1 considered the reasons that organisations set up quality management systems and 
the quality management principles that should guide such systems. The Lectures that followed 
analysed the criteria contained within ISO 9001:2000. This Lecture addresses the structure of 
quality management systems based upon the process approach in the ISO Standards; Lecture 
6 considers the implications for auditors. 


2. ESTABLISHING A QUALITY MANAGEMENT SYSTEM 

2.1 The process approach 

A process is defined as: 

Set of interrelated or interacting activities which transforms inputs into outputs 
(ISO 9000:2000, para.3.4.1) 

This definition means that processes bring about a change of state. They convert inputs into 
outputs and, therefore must have measurable objectives (quantitative and qualitative). 

Processes may cut across departmental or functional boundaries and may incorporate a 
number of resources to achieve their objectives. 

Essentially, processes are dynamic; they are designed to achieve a desired output; they cause 
things to happen. Processes interact with other processes in order to flow to a conclusion. The 
conclusion being to meet customer requirements and to ensure continual improvement. 

An example of a processed based quality management system is set out in Appendix 5. 

2.2 To set up a quality management system based on the ISO 9000:2000 Series of Standards, an 
organisation must: 

• determine the needs and expectations of customers; 

• establish a quality policy and quality objectives; 

• determine the processes and responsibilities necessary to achieve these objectives 

• apply methods to measure the effectiveness of each process; 


• determine the means of preventing nonconformities and eliminating their causes; 

• provide an adequate monitoring and review system; 

• establish and apply a process of continual improvement to the quality management 
system. 

The quality management system should be able to provide a framework for continual 
improvement and to increase the probability of enhancing customer satisfaction. 

2.3 The quality management system should cover the essential functions that contribute to meeting 
business objectives such as: 

• top management responsibilities; 

• marketing; 

• sales; 

• human resources; 

• facility management; 

• the product realisation processes; 

• distribution; 

• finance; 

• any other function that contributes to meeting the business objectives. 

2.4 The quality management system will include: 

• strategic planning and 

• the establishment, documentation, implementation of processes throughout the 
organisation. 


3. QUALITY SYSTEM DOCUMENTATION 

3.1 ISO 9001 requires that quality management system documentation includes: 

• documented statements of a quality policy and quality objectives; 

• a quality manual; 

• documented procedures covering specific areas of the Standard; 

• documents required by the organisation to ensure the effective planning, operation and for 
the control of processes; 

• records to provide evidence that planned results have been achieved. 

3.2 It is useful to note that the documentation should be structured to fit: 

• the size of the organisation and type of activities; 

• complexity of the processes and their interaction; 

• the competence of personnel. 

3.3 A document is virtually anything that provides information. It may be a record, procedure, 
specification, drawing or report. The information may be presented on paper, magnetic tape, 
computer disc, photograph, master samples or a combination of these. 

In those areas where the Standards calls for “documented procedures”, one would expect to 
find information set out formally, meeting the criteria set out in paragraph 6.3 below. 

3.4 The flexible approach of the Standard is intended to enhance the implementation, maintenance 
and improvement of the system. This being the case, management should decide upon 
structure and format of the documentation that is needed to support the quality management 
system. The nature and extent of the documentation should depend upon, and meet, the needs 
of the organisation. 

3.5 Demonstrating compliance with ISO 9001:2000 

In order to claim conformity with ISO 9001:2000, the organisation must provide evidence of the 
effectiveness of the processes and quality management system. As noted above, this may not 
necessarily depend on documented procedures or records, except where these are specifically 
required by ISO 9001:2000. Organisations, particularly small organisations, may be able to 
demonstrate conformity without the need for extensive documentation. 


4. THE QUALITY POLICY AND OBJECTIVES 

4.1 Quality policy 

The Quality Policy should demonstrate the commitment of Top Management. The policy 
should: 

• be consistent with the business policies and objectives; 

• commit to customer satisfaction, legal compliance and to continually improve the 
effectiveness of the quality management system. 

The policy should provide the framework for establishing and reviewing quality objectives. 

An effectively formulated quality policy should: 

• demonstrate top management commitment to quality and the provision of adequate 
resources for its achievement; 

• promote a commitment to quality at all levels in the organisation; 

• be consistent with the organisation’s overall business policies; 

• be consistent with the vision of the organisation’s future; 

• enable quality objectives to be understood throughout the organisation; 

• address continual improvement and customer satisfaction. 

4.2 Quality objectives 

The commitment in the quality policy to continual improvement is achieved through the setting and 
meeting of quality objectives. 

The objectives should be: 

- set at each relevant function and level; 

measurable and consistent with the quality policy. 

This includes those objectives needed to meet the requirements for the product. 

Quality objectives should be: 

Set 

Measurable 

Achievable 

Realistic 

Timed. 

4.3 Once decided, the objectives need to be communicated to the appropriate people in a way that they 
are able to translate these objectives into their individual contributions. An auditor should be able to 
trace the “objective cascade” through the organisation. 

Appendix 6 shows an objective cascade. 









00 00 


Objectives should be reviewed periodically and revised as necessary in order to provide the 
means for the continual improvement of the quality management system. 


5. QUALITY MANUAL 

5.1 Contents 

Exactly how the organisation has structured its quality management system should be set out in 
the Quality Manual. The Quality Manual provides an overview of the quality system including 
the scope, together with the details and justification for any exclusions. 

The Manual should contain: 

• a description of the interaction of the processes of the system: 

• the documented procedures or reference to them. 

Exclusions from any requirements of ISO 9001 must be justified and limited to Clause 7, but the key 
words from Clause 1.2 must be heeded. The exclusions must “neither affect the organisation’s 
ability, nor absolve it from its responsibility” to provide product that meets customer requirements. 

An example of scope is set out in Appendix 7. 

5.2 The Standard requires that responsibilities and authorities and the interrelation between them 
are defined and communicated within the organisation (5.5.1). 

One way of doing this is through organisation charts and scopes of responsibility and these may 
well be presented in the Manual. 

The lines of reporting of the Management Representative, especially in terms of quality related 
decisions, should be clearly defined in the organisation structure. 

Appendix 8 provides an example of an organisation structure. 

Appendix 9 provides an example of a detailed job description. 


6. DOCUMENTED PROCEDURES 

6.1 ISO 9000:2000 defines procedure as : 

Specified way to carry out an activity or process 

Procedures are implemented, therefore, as “stand-alone” entities, designed to complete a task 
and in general to satisfy particular rules or requirements. 

They tend to be static, defining a sequence of events necessary to complete a task. 

6.2 ISO 9001:2000 calls for documented procedures in six areas: 


• control of documents (4.2.3); 

• control of records (4.2.4); 

• internal audit (8.2.2); 

• control of nonconformity (8.3); 

• corrective action (8.5.2); 

• preventive action (8.5.3). 


However, some organisations may need documented procedures in other areas covering 
particular departments, functions, or processes. 

6.3 Procedures should be written in an agreed format and the following are typical sections or 
headings: 

• purpose 

the objective or intention of the procedure. 

• scope 

applicability, boundaries. 

• procedure/method 

Who is responsible for the action/control? 

What is actioned/controlled and how, including: 
information is processed; 
methods and equipment used; 
records to be completed / processed 
Where: location. 

When: timing, frequency 

• references 

other documents quoted and those that may need to be read to understand the procedure. 

6.4 The Documented Procedures may be contained within the Quality Manual or in a separate 
Procedures Manual. 

An example of a procedure is set out in Appendix 10. 


7. OTHER DOCUMENTS 

7.1 There may be other documents required by the organisation to ensure the effective planning, 
operation and control of its processes. 

7.2 Such documents may include: 

process flow charts; 
organisation charts; 
production schedules; 
work instructions; 
operating instructions; 
job cards; 
user manuals; 
inspection plans; 
test methods and instructions; 
drawings; 

approved supplier lists; 
technical manuals 
manufacturer’s recommendations; 
performance standards. 


QUALITY PLANS 

.1 ISO 9000 defines a Quality Plan as: 

A document specifying which procedures and associated resources shall be applied by 
whom and when to a specific project, product, process or contract. 

8.2 A quality plan focuses on an area of work relevant to a particular contract or project. The plan is 
usually a control document: 

providing a statement of the operations to be carried out; 

identifying the procedures and reference documents controlling the operations; 

defining “hold” points; 

indicating the means of monitoring process; 

indicating the way by which records are generated and maintained. 


8.3 Hold points are the key or critical stages and activities in the Plan beyond which work must not 
proceed until that activity has been completed and verified. The evidence of such a review 
should be shown on the Plan at that time. The Plan may then continue to completion and be 
reviewed for adequacy against the contract or other documents. 


9. RECORDS 

9.1 ISO 9001 recognises records as a “special” type of document. The organisation needs to 
maintain records to demonstrate compliance with customer requirements and for determining 
the effectiveness of the quality management system. 

9.2 Records should be simple, effective and accurate, and provide information for staff to access as 
they work towards continuous improvement. 

Records should provide top management with useful information for continual improvement and 
should provide data for improving processes. 

9.3 Records may appear in any form which means that in many organisations, records will be held 
electronically. 


10.0 ELECTRONIC DATA SYSTEMS 

10.1 The introduction and use of electronic based systems can provide online access to information, 
communication and the elimination of obsolete documentation. 

10.2 However, auditors will need to consider the implications of such systems for; 

security; 
change control; 
authorisation; 
access controls; 
document approvals; 
signatories; 
virus checking; 
record keeping; 
back-up controls; 
restore testing; 

control in the event of computer system failure. 


11. CONTROL OF DOCUMENTS AND RECORDS 

11.1 All quality system documents have to be controlled. There must be a documented procedure to 
ensure this. 

The following information is essential to control a document: 

• title; 

• number; 

• issue status; 

• page number and total number of pages; 

• approval authority; 

• issuing authority; 

• issue date. 

In some organisations the issuing and approval authorities may be the same person. 

11.2. A "quality" document and record should be: 

• identifiable - title, number; 

• up-to-date (documents); 

• legible; 

• understandable; 

• logically laid out; 

• clear in meaning; 

• adequate; 

• complete; 

• self consistent - within the purpose and scope of the system or process; 

• consistent with other documents; 

• available (documents); 

• retrievable (records). 


12. DOCUMENT EVALUATION 

12.1 A review of the documentation (“desk study”) should identify the key elements of the quality 
management system. 

The following technique is useful when initially drafting or examining a complicated document or 
process: 

a) produce a sequence of events in tabular form (See Appendix 11); 

b) turn this into a flow diagram (See Appendix 12); 

c) check the interfaces between the people, processes, departments and so on, referred to in 
the procedure. 


Lecture 6 

Auditing for continual improvement 

OBJECTIVES 

When you have completed this topic, you will be able to: 

'»■ explain the relationship between management processes, continual improvement and the 
implications for auditors; 

'*■ understand how audits can be used as a tool for the maintenance and improvement of 
management systems. 


KEY POINTS 

❖ Continual improvement 

❖ Difficult issues for auditors 

❖ The monitoring of processes 

❖ Analysing data 

❖ The purpose of measurement, analysis and improvement 

❖ Implications for auditors 

Lecture 6 

Auditing for continual improvement 


1. CONTINUAL IMPROVEMENT 

1.1 To audit effectively, the auditor will need to evaluate how the P-D-C-A process actually 
contributes to the continual improvement of the quality management system. More 
precisely, the auditor will need to evaluate how monitoring and measurement processes that 
the organisation has established contribute to the continual improvement of the quality 
management system. 










1.2 


ISO 9001:2000, clause 8.5.1, requires that continual improvement to the effectiveness of the 
quality management system takes place through the use of the quality policy, quality 
objectives, audit results, analysis of data, corrective and preventive action and management 
review. 

1.3 Difficult issues 

In practical terms, this raises a number of difficult issues for auditors such as: 

• dealing with top management; 

• auditing the way in which objectives are "cascaded" throughout the 
organisation; 

• auditing resources, competence and infrastructure; 

• auditing the monitoring and measurement processes. 

Exactly how the auditor will approach these issues will depend upon: 

• the culture of the organisation; 

• the way in which processes have been defined and documented; 

• the methods used to gather and analyse information. 

1.4 The monitoring of processes 

As well as establishing measurable quality objectives (5.4.1), the organisation will have 
identified and established suitable methods of monitoring and measurement to evaluate: 
customer satisfaction (8.2.1); 
the performance of processes (8.2.3); 
product characteristics (8.2.4). 

The performance of particular processes may be analysed through the monitoring and/or 
measurement of factors such as: 
accuracy; 
timeliness; 
dependability; 

reaction time of process and people to special internal and external requests; 

cycle time or throughput; 

effectiveness and efficiency of people; 

utilisation of resources and technologies; 

key performance indicators; 

cost reduction. 

1.5 Analysing data 

All of this will involve collecting, recording, analysing, summarising and communicating data 
that will be needed to evaluate where improvements to the effectiveness of the 
organisation's quality management system can be made (8.4). 

The organisation should ensure that the monitoring, measurement and analysis processes, 
and the data collected will be of real practical benefit in providing: 

• a factual basis for decision making and; 

• contributing towards improving the effectiveness of the quality management 
system 

• added value to the organisation; 

• indication of levels of achievement; 

• analysis and understanding of trends and variations. 

1.6 Appropriate statistical techniques must be determined and used to analyse data and identify 
levels of achievements, trends and variations (8.1). 

1.7 The results of the data analysis should be one of the inputs to the management review 
process (5.6.2) and should be used throughout the organisation to support effective and 
efficient management. 

1.8 The purpose of measurement, analysis and improvement 

The intent of Clause 8 of the Standard is to ensure that measurement, analysis and 
improvement techniques are: 

reviewed periodically and data should be verified on as continual basis to ensure 

accuracy and completeness; 

used to establish priorities for the organisation; 

used to benchmark individual processes as well as customer satisfaction; 
used as an improvement tool. 

1.9 All of this information will provide evidence that: 

a) top management ensures that customer requirements are determined and met 
with the aim of enhancing customer satisfaction (5.2); 

b) the organisation is able to continually improve the effectiveness of the quality 
management system through the use of: 

• the quality policy; 

• objectives; 

• audit results; 

• analysis of data; 

• corrective and preventive action; 

• management review (8.5.1). 

1.9 Implications for auditors 

Auditors will need to evaluate the use of these monitoring, measurement, analysis and 
improvement processes so as to gain confidence that the organisation is able to: 

• demonstrate conformity of the product; 

• ensure conformity of the quality management system and; 

• continually improve to the effectiveness of the quality management system (8.1). 

The audit methodology described in the rest of this Course aims to achieve these objectives. 


Lecture 7 

Registration, certification and auditor 

COMPETENCE 


OBJECTIVES 

When you have completed this topic, you will be able to: 

explain the terms used in certification and accreditation; 
describe the certification and accreditation processes; 
explain the purpose of surveillance visits; 

*■ state the purpose and benefits of a certificated qms; 
be aware of the various auditor certification schemes; 
understand the competence needs of auditors; 


be aware of the role of IRCA in the approval of training courses and certification of auditors; 

outline IRCA auditor certification requirements; 

explain the need for auditor confidentiality; 

outline the content and intent of the IRCA Code of Conduct. 


KEY POINTS 

❖ Certification and registration of organisations 

❖ Certification of auditors 

❖ Competence of auditors 

❖ Personal characteristics of auditors 


Lecture 7 

Registration, certification and auditor competence 


1. CERTIFICATION AND REGISTRATION OF ORGANISATIONS 

1.1 Third-Party Certification 

There are strict rules and regulations laid down for the conduct of third-party audits that are 
monitored by Accreditation Bodies 

In the United Kingdom, the national accrediting body is the United Kingdom Accreditation 
Service (UKAS) which reports directly to the Government Department of Trade and Industry. In 
the USA, the RAB fulfils a similar role, as does the JAB in Japan. 

The most important function of a national accreditation body is to “accredit” organisations 
(certification bodies) to “certificate” or “register” other organisations against National and 
International Standards. So UKAS accredits companies such as SGS SSCE, BSI and Lloyds to 
carry out audits on organisations and to register those which meet the requirements of the 
Standard against which they are being audited. 

The accreditation body will also agree the scope of accreditation with the certification body. 
That is the certification body will only be able to award certificates within specifically defined 
industrial sectors. 

The Standard to which Certification Bodies may be accredited is Guide 62, a standard 
published by the International Accreditation Federation (IAF). 

SGS SSCE is not registered to ISO 9001 but is accredited by the United Kingdom Accreditation 
Service (UKAS) to a European Standard, EN 45012, to register organisations that meet the 
requirements of quality management standards in specific industrial sectors. 

The accreditation body (UKAS) will carry out regular monitoring of the activities of the 
certification body against EN 45012 and will raise nonconformity reports as appropriate. 

1.2 To achieve accreditation, the certification body must: 

• have a formal, documented system of controls; 

• be audited by the Accreditation Body; 

• hold records on each auditor; 

• prove knowledge and experience of applicable industry sector; 

• have lead auditors certificated by an approved body. 

1.3 Certification process 

1.3.1 The process by which organisations are certificated or registered comprises: 

• a documentation review; 

to ensure the quality management system exists and the readiness of the organisation for 
the audit; 

• an on-site audit; 

• regular “surveillance” visits. 

1.3.2 Surveillance visits 

These are “mini” audits conducted by a certification body to review the ongoing effectiveness of 
a registered organisation’s quality management system. Surveillance visits take place regularly 
throughout the period that an organisation is registered. The duration of the audit is shorter 
than an initial audit and tends to be focussed on a particular part of the overall system. A 
certification body is able, therefore, to look at specific processes or areas in more depth. Over 
the period of registration, the intention is that the whole of an organisation’s quality 
management system will have been audited in this manner. 


2. CERTIFICATION OF AUDITORS 

2.1 To ensure independence of the certification process, the organisation, which certificates 
auditors, is separate from that which certificates organisations. 

An auditor certification scheme is one of the means for providing consistency and accuracy in 
the interpretation of the Standard by auditors. 

The purpose of the Auditor Certification Schemes is to certify as competent, auditors trained 
and qualified in the principles and practices of auditing quality management systems against 
ISO 9001:2000 and acceptable equivalent standards. 

2.2 National schemes 

Examples of national schemes are those provided by: 

• International Register of Certificated Auditors (IRCA) in the UK; 

• Registrar Accreditation Board (RAB) in the USA; 

• Quality Society of Australasia (QSA) covering Australia and New Zealand. 

2.2.1 IRCA auditor certification scheme 

The scheme operated by the IRCA comprises four categories of QMS 2000 Auditors: 

QMS 2000 Provisional Auditor; 

QMS 2000 Auditor; 

- QMS 2000 Principal Auditor; 

QMS 2000 Lead Auditor. 

There is also an Internal QMS Auditor certification scheme that sets the competence and 
integrity of persons certificated to conduct internal audits of quality systems. 

Brief explanations of the categories of IRCA auditor are included in the definitions in Appendix 
1 . 

There are also schemes for specialist sector auditors such as computer software (TickIT), 
aerospace, maritime, pharmaceutical and environmental management. 








To maintain and manage the scheme, the IRCA: 

• sets the requirements for each grade of auditor which focuses on an applicant’s training, 
work, quality and audit experience; 

• approves and certificates auditor training courses; 

• maintains records of the Continuous Professional Development (CPD) of auditors. 

The IRCA certification scheme is outlined on their web site (www.irca.org). 

The IRCA Code of Conduct is set out in Appendix13. 

The details of other schemes are published by the relevant auditor certification bodies. 


• the principles of auditing; 

• management of audit programmes 

• audit activities; 

• the competence of quality management system auditors. 

This Course is based on the guidelines contained within ISO 19011. 


2.3 International scheme: IATCA 

As the certification of organisations expanded during the last decade, it was felt that auditors 
should be certificated by a scheme that is internationally recognised for accredited certification 
purposes and by Accreditation Bodies everywhere. 

The International Auditor and Training Certification Association (IATCA) was formed for this 
purpose by Multilateral Agreement between national auditor certification bodies in July 1995 
(see Appendix 14). 

The scheme operated by the IATCA provides two types of Auditor: 

Auditor; 

Senior Auditor. 

The IATCA Code of Conduct is set out in Appendix 15 and the IATCA certification scheme is 
outlined in their criteria document (see References). 

3. COMPETENCE OF AUDITORS 

3.1 ISO 19011, Guidelines on quality and/or environmental management systems auditing, sets out 
personal characteristics and competencies needed by an auditor. 

3.2 Personal Attributes 

An auditor needs to be: 
open minded; 
diplomatic; 
observant; 
perceptive; 
tenacious; 
decisive; 
self-reliant; 
fair; 
honest; 
discreet. 

3.3 In addition, the auditor must be appropriately educated, experienced and trained. 

3.4 The auditor should be competent in: 

quality related methods and techniques, including; 
quality terminology; 

quality management principles and their application; 
quality tools and their application; 

relevant legislation, regulations and other requirements appropriate to the processes being 
audited; 

products, services and operational processes of the organisation being audited. 

In addition, auditors should maintain their professional development and auditing abilities, by 
updating their general and specific areas of competence and participation in quality audits. 

Details on the initial and continual evaluation of auditors and audit team leaders are provided in 
ISO 19011. 


Lecture 8 

Audit: definition, principles, types, 

PROGRAMME MANAGEMENT 

OBJECTIVES 

When you have completed this topic, you will be able to: 

*■ understand the definition of quality auditing; 

*■ explain the principles of auditing; 

describe the difference in purpose and conduct between first, second and third party audits; 
be aware of the objectives and extent of audit programmes; 
understand the responsibilities, resources and procedures for auditing; 
describe the benefits and limitations of sampling; 

*■ understand the need for monitoring and reviewing of the audit programme. 


KEY POINTS 

❖ Audit definition 

❖ Principles of auditing 

❖ Types of audit 

❖ Audit programme management 

Lecture 8 

Audit: definition, principles, types, programme management 


1 DEFINITION 

1.1 ISO 9000 defines an audit as: 

A systematic, independent and documented process for obtaining audit evidence and 
evaluating it objectively to determine the extent to which audit criteria are fulfilled. 

In other words, a check that the quality management system is operating effectively in 
accordance with the system criteria. 

1.2 ISO 19011, Guidelines on quality and/or environmental management systems auditing, sets out 
the process by which audits are conducted. 


1.3 PRINCIPLES OF AUDITING 

To ensure that auditing is an effective and reliable management tool, auditing is based upon a 
number of fundamental principles. Understanding and following these principles will ensure 
that audit conclusions are relevant and sufficient, and that auditors working separately from one 
another will reach similar conclusions in similar circumstances. 

Auditing principles 

Three of the principles relate to the personal characteristics of auditors: 

• ethical conduct 

The role of the auditor is one of trust, integrity, confidentiality and discretion. Certificated 
auditors are bound by strict codes of conduct (see Appendices 14 and 16). 

• fair presentation 

Audit findings, audit conclusions and audit reports reflect truthfully, accurately and completely 
the audit activities. Any unresolved or diverging opinions between the audit team and the 
auditee and any obstacles encountered are reported; 

• due professional care 

Auditors must exercise a degree of care appropriate to the importance of the task and to the 
confidence placed in them by audit clients and other interested parties. Having the necessary 
competence is an important part of this. 

Two further principles concern the audit process: 

• independence 

Auditors must be independent of the organisation or activity being audited. They must remain 
free from bias and conflicts of interest; 

• evidence 

Audit evidence is verifiable. It is based on samples of the information available, since the audit 
is conducted during a finite period of time and with finite resources. However, the use of 
sampling must be appropriate to the confidence placed in the audit conclusions. 


1.4 TYPES OF AUDITS 

There are three types of audit: 

• First party 

• Second party 

• Third party 

First party (Internal Audit) 

Definition : 

an audit by the organisation of its own systems and procedures. 

Objective : 

to assure maintenance, development and improvement of the quality system. 
Requirement: 

ISO 9001:2000, clause 8.2.2; 


Second party (External Audit) 

Definition : 

an audit by the organisation on its suppliers and sub-contractors. 

Objective: 

• to determine suitability of suppliers; 

• to appraise supplier/subcontractors performance. 

• to determine that suppliers have the capability to supply product to meet purchasing 
requirements. 

Third party audit (External Audit) 

Definition: 

an audit by a body which is commercially and contractually independent of the organisation, its 
suppliers and customers. In this context, an audit by a certification body on an organisation’s 
quality management system against ISO 9001:2000. 

Objective : 

to determine whether an organisation’s quality system has been established, documented, 
implemented and maintained in accordance with a specified standard. 


2 AUDIT PROGRAMME MANAGEMENT 

2.1 General 

The purpose of an audit programme is to assist the organisation in providing the resources 
necessary to facilitate the conduct and completion of individual audits. There will obviously be 
tremendous variations between the audit programmes of a certification body compared to that 
of an organisation carrying out internal audits. However, the process considerations will be the 
same. 

Depending on the nature of the organisation or activity to be audited, the audit programme will 
include audits with varying objectives, scope and criteria for which the appropriate resources 
need be allocated. 

Because of this, the authority for managing an audit programme should be responsibility by top 
management. 

The process considerations for managing an audit programme are shown in Appendix 16 
diagram shows the process flow (or Plan-Do-Check-Act cycle) for the management of an audit 
programme. 

Appendix 17 shows examples of audit programmes. 


2.2 Setting the audit programme objectives 

Managing the audit programme includes establishing the objectives for all audits programmes 
so that the planning and conduct of audits may be controlled. 

These objectives should be based on consideration of: 

• management priorities; 

• commercial intentions; 


ISO 19011 contains guidance on: 


management system requirements: 














KEY POINTS 


• statutory, regulatory and contractual requirements; 

• the need for supplier evaluation; 

• customer requirements; 

• needs of other interested parties, and 

• risks to the business. 

So, depending on the types of audits that the organisation is going to be carrying out, the 
programme objectives could be one or all of the following: 

• to meet the requirements of certification to ISO 9001:2000 (or other management system 
standard); 

• to verify conformance with contractual requirements; 

• to obtain and maintain confidence in the capability of a supplier (second-party audit); 

• to contribute to the improvement of the quality management system. 

2.3 Extent of the audit programme 

The extent of the audit programme will vary in size, nature and complexity (again depending on 
the types of audits that will be carried out) but will be influenced by the: 

• scope, objective, and duration of each audit: 

• frequency of audits to be conducted; 

• number, status, importance, complexity, similarity and locations of the activities to be 
audited; 

• standards, statutory, regulatory and contractual requirements, policies, procedures and 
other audit criteria; 

• need for accreditation and registration/certification; 

• results of previous audits or a previous audit programme review; 

• language, cultural and social issues; 

• concerns of interested parties; 

• significant changes to any functional area. 

Appendix 18 contains a proforma for an internal audit programme. 

2.4 Responsibilities, resources and procedures 

2.4.1 Responsibilities 

Responsibility for managing the audit programme should be assigned to (an) individual(s) who 
has (have) a specific understanding of audit principles, auditor competence and the application 
of audit techniques. They should have appropriate management skills as well as technical and 
business understanding relevant of the activities to be audited. 

2.4.2 Resources 

Audit programme resources will include: 

• financial resources to develop, implement, manage and improve audit activities; 

• audit techniques; 

• processes to achieve and maintain auditor competence and to improve auditor 
performance; 

• availability of auditors and technical experts; 

• the extent of the audit programme; 

• travelling time, accommodation and other auditing needs. 

2.5 Audit programme procedures 

Procedures need to be developed and implemented to address responsibilities and 
requirements for planning and conducting audits, the selection of auditors, the methods of 
reporting and maintaining records; this is a requirement for internal audits (ISO 9001:2000, 
clause 8.2.2). 

2.5 Audit programme activities 

Managing or directing the audit activities is covered in detail in the Lectures that follow.. 

2.6 Audit programme records 

Records should be maintained to demonstrate the effective operation of the audit programme. 
These should include: 

• results of the audit programme review; 

• audit plans; 

• audit reports ; 

• nonconformity reports; 

• reports of corrective action; 

• auditor personnel records, covering areas, such as performance evaluation, audit team 
selection, qualifications and training. 

2.7 Monitoring and reviewing the audit programme 

The audit programme needs to be monitored periodically in order to assess: 

• whether the audit objectives are being met; 

• the effectiveness of the audit programme; 

• any opportunities for improvement. 

As with all other processes, the monitoring activity should use performance indicators as 
evidence that the audit objectives are being met. 


Lecture 9 
Audit planning 

OBJECTIVES 

When you have completed this topic, you will be able to: 

explain the need to establish the audit objectives and criteria; 
explain the purpose and significance of the audit scope; 
explain the considerations for establishing an audit team; 
describe the roles and responsibilities of auditors and lead auditors; 
be aware of the best practices at meetings. 


❖ Planning the audit 

❖ Audit roles and responsibilities 

❖ Good practice at meetings 

=Lecture 9 
Audit planning 

1 GENERAL 

There are a number of distinct activities that take place during an audit. These are: 

• planning the audit; 

• preparing for the on-site audit; 

• conducting a document review; 

• conducting the on-site audit; 

• reporting on the audit; 

• conducting audit follow-up, where appropriate. 

These activities are set out as a process flow chart in Appendix19. 

This Lecture looks at audit planning, Lecture 10 considers preparing for the audit and the 
document review. Lecture 11 addresses the conduct of the actual audit itself and Lecture 13 
considers audit reporting and activities the associated with audit completion and the follow-up 
process. 

2 PLANNING THE AUDIT 

2.1 Audit objectives 

Within the overall audit programme, each individual audit should be based on documented 
objectives, scope and criteria. 

The objectives of an audit may include one or all of the following: 

• determining the extent of conformity of the organisation's management system, or parts of 
it, with the audit criteria; 

• evaluating the capability of the management system to ensure compliance with legislative 
and contractual requirements; 

• evaluating the effectiveness of the implemented management system in meeting specified 
objectives; 

• identifying areas of potential improvement of the management system. 

So the objective of an audit may be to establish the extent to which the organisation conforms 
to ISO 9001:2000 within the scope of its clearly defined business activities. 

For an internal audit, the objective may be evaluate the purchasing process against ISO 9001, 
clause 7.4; or to evaluate the purchasing function against the quality objectives for the activity; 
or to evaluate the purchasing process against the organisation’s own documented 
requirements. 

2.2 Audit scope 

The audit scope describes the extent and boundaries of the audit in terms of factors such as: 

- physical locations; 

- organisational units; 

- activities and processes to be audited; 

- the duration of the audit. 

So the scope of the audit could be the clearly defined scope of the quality management system 
set out in the organisation’s quality manual; the main business activities of the organisation at a 
specific location. Or in the case of an internal audit, the scope could be defined quite narrowly 
to, for example, the purchasing process throughout the organisation. 

2.8 The audit criteria 

The audit criteria may include applicable: 

- standards (for example, ISO 9001); 

- policies; 

- procedures; 

- regulations; 

- legislation; 

- management system requirements; 

- contract requirements; 

- industry/business sector codes of conduct. 

2.4 The audit objectives, scope and criteria should be defined by the organisation being audited 
(the client, in the case of certification bodies). 

As a consequence, any subsequent changes to these need to be agreed with the client, audit 
programme management, and if appropriate, the auditee, after consultation with the auditor. 

2.5 Feasibility of the audit 

As part of the planning process, the audit programme manager should determine the feasibility 
of the audit, taking into consideration such factors as: 

- sufficient and appropriate information for planning the audit; 

- business objectives, policies, products; 

- adequate co-operation from the auditee; 

- availability of time and adequate resources. 

Where the audit is not feasible, an alternative should be proposed to the audit client by the 
audit programme manager, in consultation with the auditee. 

The feasibility of the audit should be reviewed after the document review, taking into account 
anything that had been identified during the review. 

2.6 Establishing the audit team 

As soon as the audit has been declared feasible, the composition of the audit team should be 
established: 

The audit programme manager should appoint an audit team leader with the appropriate skills 
and competence needed to achieve the objectives of the audit. 

The audit team will comprise an audit team leader and may comprise auditors, auditors-in- 
training and technical experts, working under the direction of the audit team leader. 

Flowever, if there is only one auditor, that auditor should perform all of the duties of the audit 
team leader. 

Consideration should be given to the following issues when deciding the size and composition 
of the audit team: 

• audit objectives, scope, criteria, location(s) and estimated duration; 

• the overall competence needed to achieve audit objectives; 

• requirements of accreditation or certification bodies as appropriate; 









the language of the audit and understanding of the auditee’s social and cultural 
environment; 


Lecture 10 

Preparing for the on-site audit activities 


• the need to assure the independence of the audit team from the activities to be audited 
and to avoid any conflicts of interest; 

• the ability of the audit team members to interact effectively with the auditee and to work 
together. 

The audit client and the individual auditee have the right to request the replacement of 
particular team members on reasonable grounds that should be made to the audit programme 
management. Examples of reasonable grounds may be those of conflicting interests (such as 
an audit team member was former employee of the auditee or provided consultancy services) 
or previous unethical behaviour. 

The selected team auditors must have an understanding of the sector of business in which they 
are auditing and of the key issues for the organisation. They should be aware of the culture 
and ethics of the organisation to be audited. This is important when evaluating the pro-active 
role of management integration of business objectives, policy, product and service 
requirements with customer focus. 


3. AUDITOR ROLES AND RESPONSIBILITIES 

3.1 Team leader responsibilities 

During the audit, the responsibilities of the Team Leader are to: 

• make final decisions for all phases of the audit; 

• prepare the audit plan; 

• assign team roles 

• brief the team; 

• review working documents to ensure adequacy; 

• represent the audit team at opening and closing meetings; 

• report critical nonconformities to the auditee immediately; 

• report any major obstacles encountered during the audit; 

• submit the audit report. 

3.2 Audit team assignments 

The audit team leader should assign to each team member responsibility for auditing specific 
management system processes, functions, sites, areas and activities. 

Such assignments should take into account the need to maintain auditor independence, 
competence and efficient use of resources. 

3.3 The responsibilities of team members 

Team members should: 

• review all relevant information related to their assigned tasks; 

• prepare any work documents (including checklists) necessary to carry out those tasks; 

• comply with the audit requirements; 

• carry out assigned duties effectively and efficiently; 

• report deficiencies and audit findings to the Team Leader; 

• co-operate and support the Team Leader. 

During any audit, team members should: 

• stay within the audit scope; 

• communicate the audit requirements to the auditee; 

• collate objective evidence from the audit both for and against conformance; 

• document any Corrective Action Requests (CARs); 

• report the audit findings to the auditee; 

• verify corrective actions taken in response to CARs; 

• retain and safeguard all documents pertaining to the audit. 


4. GOOD PRACTICE AT MEETINGS 

4.1 At meetings, auditors should remain polite, calm and professional at all times. 

They should: 

introduce themselves; 

ensure that the agenda is known and understood; 
keep to the agenda; 
keep control; 
keep to time; 
avoid arguments; 
listen to others; 
maintain appropriate records. 


ecture 10 

Preparing for the on-site audit 
OBJECTIVES 

When you have completed this topic, you will be able to: 
understand the purpose of the pre-audit visit; 
state the purpose of the document review; 
describe a typical document review process and outputs; 

'*• developing the audit plan; 

identify the considerations for an on-site process-based audit; 
explain the use, benefits and potential limitations of using checklists. 


KEY POINTS 

❖ Initial contact with the auditee 

❖ Document review 

❖ The audit plan 

❖ Work documents 

❖ The audit checklist 


1. INITIAL CONTACT WITH THE AUDITEE 

1.1 The initial contact with the auditee may be formal or informal. 

Depending on the situation, the audit programme manager or audit team leader should contact 
the auditee to finalise arrangements for the audit. In an internal audit this may be informal, but 
for some third-party audits, this may take the form of a formal pre-audit visit (see below). 
However it is done, the purpose of the initial contact is to: 

• establish communication channels; 

• provide information on proposed timings; 

• obtain information for selecting the audit team; 

• request documentation and records; 

• make arrangements for the audit. 

The need for accompanying persons such as observers, interpreters or guides for the audit 
team should be mutually agreed. 

1.2 The purpose and benefits of a pre-audit visit 

For many third-party initial audits, the auditor will seek a formal pre-audit visit in order to: 

• confirm the audit criteria and processes in use; 

• clarify the extent and scope the audit, the departments and facilities that will be involved; 

• agree the methods to be adopted during the audit; 

• resolve any misunderstandings. 

There are benefits in this approach. The pre-audit visit should: 

• impart a sense of co-operation between management of the organisation and the auditor; 

• identify any special needs for the audit team such as skills, knowledge, facilities, protective 
clothing and so on; 

• identify detailed layout of the facility to be audited and so permit an accurate estimate of 
the number of team members and duration of the audit. 


2. DOCUMENT REVIEW 

2.1 The next stage in the preparation process is for the auditor (the audit team leader or by an 
auditor nominated by the audit team leader) to study the documents relevant to the audit 
criteria, objectives and scope of the audit. This is called the document review or “desk study”. 

2.2 The purpose of the review is to provide information to the auditor for the on-site audit activities. 
The information should cover the technical aspects of the organisation’s products and services, 
and structure of the processes within the quality management system. The auditor should use 
this information to: 

• devise an audit plan to notify the auditee of the format for the audit (see paragraph 3 
below); 

• develop a checklist for the audit (see paragraph 5 below). 

2.3 Depending on the type of audit, and the objectives and scope of the audit, the auditor will wish 
to review: 

- the documented statements of quality policy and objectives; 

- the quality manual; 

- the documented procedures required by the Standard; 

- other documents needed by the organisation such as process flow-charts, procedures, 
work instructions, forms and 

- previous audit records so as to gain a thorough understanding of the organisation and its 
processes. 

In an internal audit, the auditor will probably concentrate on the process documentation 
covering the precise scope of the audit. 

The documentation should be reviewed to determine the conformity of the quality management 
system processes with the audit criteria. 

2.9 Process review 

In some situations, there may not be explicit guiding documents such as a procedure that 
signposts this information. Instead, the auditor may be faced with little more than a process 
map covering several complicated task and activities. 

In such circumstances, the auditor will need to ensure that the tasks and activities needed to 
deliver the process quality objectives and the audit criteria have been addressed. 

These may be visualised by the auditor mapping the processes (see Appendix 20) or by 
developing flow charts or checklists based on the requirements of ISO 9001. Alternatively, the 
auditor may develop his or her own personal checklist based on the documentation that does 
exist. 

2.10 Concerns at the review stage 

If the management system documentation is found to be inadequate, such that it does not meet 
the audit scope or criteria, the audit client, the audit programme management and the auditee 
should be informed. 

The audit should not continue until the deficiencies are resolved to the satisfaction of the audit 
programme management in consultation with the audit client, the audit team leader and, if 
appropriate, the auditee. 


3 THE AUDIT PLAN 

3.1 The audit team leader should prepare a plan for the on-site audit activities. The plan should 
provide the necessary information to the audit team, auditee and audit client. It should enable 
the scheduling and co-ordination of the audit activities 

The level of detail should be adapted to suit the scope and complexity of the audit. The details 
may differ between initial and surveillance audits and between internal and external audits. 

3.2 The audit plan should include: 

• the audit objectives and scope; 

• the audit criteria and reference documents; 

• the dates and places where the on site audit activities are to be conducted; 

• the identification of the organisational and functional units and processes to be audited; 

• the expected time and duration for audit on-site activities, including meetings with the 
auditee’s management and audit team meetings. 









The plan may also include, as appropriate: 

• the identification of the sites, activities and management system processes that are 
essential to meeting audit objectives in order to allocate appropriate resources to critical 
areas of the audit; 

• the identification of the auditee’s key representatives participating in the audit 

• the working and reporting language(s) of the audit where this is different from the language 
of the auditor(s) and/or the auditee; 

• the identification of roles and responsibilities of the audit team members and any 
accompanying persons; 

• the audit report topics (including any methods of non-conformance classifications), format 
and structure, expected date of issue and distribution; 

• logistic arrangements (travel, on-site facilities etc.); 

• matters related to confidentiality; 

• any arrangements for audit follow-up actions. 

3.3 In planning on-site audits, auditors need to be aware of, and take into consideration, any local 
customs or cultural issues that may have a bearing on the conduct of the audit. These may 
relate to language, dress and personal conduct of the auditor. Auditors must be sensitive to the 
needs and expectations of auditees. 

3.4 The plan should be reviewed and accepted by the audit client and presented to the auditee 
before the audit. 

Any objections by the auditee should be resolved between the audit team leader, the auditee 
and the audit client before continuing the audit. 

3.5 The audit plan should be sufficiently flexible to permit changes, such as any changes in 
emphasis that may become necessary as the on-site audit activities progress. Any revised audit 
itinerary should be agreed between the parties concerned before continuing the audit. 


4 WORK DOCUMENTS 

Work documents used by the audit team for the purpose of reference and/or recording the audit 
can include: 

• audit procedures, checklists and sampling plans; 

• the audit plan described above; 

• forms for recording information, supporting evidence, records of meetings and audit 
findings. 

The use of work documents, such as audit plans, checklists and forms, should not restrict the 
extent of audit activities. 

Work documents should be retained, at least until audit completion. Audit team members 
should suitably safeguard those involving confidential or proprietary information. 


5 AUDIT CHECKLIST 

5.1 The checklist is a valuable aid to auditing and is used as a working document, and a record. 

The compilation of a checklist is a way of analysing the processes involved. 

The purpose of a checklist is to ensure that the objectives and scope of the audit are met, and 
that every part of the audit is completed. 

The checklist acts as a guide for the auditor. It is the auditor's main tool in carrying out the audit 
successfully. 

5.2 The advantages of using a checklist are: 

• as an aid to preparation to the audit; 

• the number of questions and size of samples can be used to estimate the time required to 
conduct an audit or parts of an audit; 

• an aid to the auditor to control the depth of the audit; 

• an aid to the auditor to control the pace of the audit; 

• an aid to the auditor to ensure that all of the planned arrangements for the audit are 
covered; 

• a means of recording responses by auditees. 

5.3 However, there are disadvantages with using a checklist: 

• the use of standardised checklists may stifle initiative and analysis of the processes or 
procedures 

• may prevent the auditor from investigating significant incidents simply because they were 
not on the checklist. 

5.4 In preparing the checklist, the auditor should consider: 

the processes which are taking place; 

any relevant procedures; 

the documents and records which are being used; 

- the requirements of the Standard; 


the requirements of the quality management system. 

5.5 The complexity or detail on a checklist will depend on the experience of the auditor. 
An example of a blank checklist is set out in Appendix 21. 

An example of a completed checklist is shown in Appendix 22. 


Lecture 11 

Conducting the audit 

OBJECTIVES 

When you have completed this topic, you will be able to: 


explain the process of, and different methods for, gathering evidence during an audit; 


describe the purpose, structure, content and attendees typically at opening meetings 

explain the roles and responsibilities of guides; 

describe the benefits and limitation of sampling; 

understand how to conduct and control audits; 

appreciate the various techniques of questioning auditees; 

identify the channels of communication between auditors and auditees. 


KEY POINTS 

❖ Collecting and verifying information 

❖ Opening meeting 

❖ Roles and responsibilities of guides 

❖ Conducting the audit 

❖ Questioning techniques 

❖ Controlling the audit 

❖ Communication with the audit client and auditee 

Lecture 11 

Conducting the audit 


1. COLLECTING AND VERIFYING INFORMATION 

1.1 The diagram in Appendix 23 provides an overview of the on-site audit process from the gathering of 
information to the reaching of audit conclusions. 

Information collected during the audit should be verified by the auditors and can then be 
considered to be “audit evidence”. 

1.2 ISO 9000 defines audit evidence as: 

Records, statements of fact or other information which are relevant to the audit criteria 
and verifiable. 

Audit evidence should be identified, documented and recorded 

1.3 The auditor will need to obtain information about: 

• people; 

• processes; 

• equipment, tools, materials; 

• documentation. 

1.4 This is done through in several ways, such as: 

• interviews; 

• observations of activities and the surrounding work environment and conditions; 

• documents, for example, policy, objectives, plans, procedures, instructions, licences and 
permits, specifications, drawings, contracts, orders; 

• records, such as inspection records, minutes of meetings, reports or logbooks on customer 
complaints and other relevant communication from external interested parties, audit 
reports, monitoring programmes and results of measurements; 

• data summaries, analyses, metrics and performance indicators; 

• records of the basis of relevant sampling programmes and the procedures for ensuring 
effective quality control of sampling and measurement processes; 

• reports from other sources, for example, customer feedback, external reports and vendor 
supplier ratings; 

• computerised data bases and web sites. 

1.5 Information should also be collected relating to interfaces between functions, activities and 
processes. 

1.6 The step-by-step process of tracking activities, following leads and ascertaining evidence to 
obtain information is called an “audit trail”. 

1.7 The audit evidence collected during an audit will inevitably be only a sample of the information 
available, since an audit is conducted during a finite period of time and with limited resources. 
There is thus an element of uncertainty inherent in all audits, and attention of users of the audit 
conclusions should be drawn to this uncertainty. 


2 OPENING MEETING 

2.1 An opening meeting should be held with the management of the organisation being audited or, 
where appropriate, those responsible for the functions or processes to be audited. Records of 
attendance at the opening meeting should be kept. 

2.2 The purpose of the meeting is to: 

- present or to confirm the audit plan; 

- clarify how the audit activities will be undertaken; 

- establish communication. 

2.3 The meeting should be chaired by the audit team leader and the following items considered, as 
appropriate: 

• introduction of the participants, including an outline of their roles; 

• confirmation of the audit objectives, scope and criteria; 

• confirmation of the audit plan and other relevant arrangements with the auditee, such as 
the date and time of the closing meeting, any interim meetings between the audit team and 
the auditee's management, and any late changes; 

• methods and procedures to be used to conduct the audit, advising the auditee that the 
audit will only be a sample of the information available and of the element of uncertainty 
inherent in all audits; 

• confirmation of formal communication links between the audit team and the auditee; 

• confirmation that during the audit, the auditee will be kept informed of audit progress; 

• confirmation that any resources and facilities needed by the audit team are available; 

• confirmation of matters relating to confidentiality; 

• confirmation of relevant work safety, emergency and security procedures for the audit 
team; 








• confirmation of availability, roles and identity of any guides; 

• method of reporting including the classification of non-conformities; 

• information about any audit appeal system. 

At the end of the opening meeting opportunity should be given to the auditee to ask any 
questions. 

2.4 In many audit situations, for example, surveillance audits or internal audits, the opening meeting 
may consist of simply that an audit is taking place, so the above list is neither prescriptive nor 
exhaustive. 

The golden rules are: 

- keep it brief and concise; 

- keep control. 

2.5 Following the opening meeting, auditors may request a short tour of the premises to familiarise 
themselves with the layout of the organisation. 

2.6 Opening meetings for internal audits may be less formal. Escorts, representatives, formal 
opening and closing meetings may not be necessary for Internal Audits. 


3. ROLES AND RESPONSIBILITIES OF GUIDES 

Where guides are assigned, they should assist the audit team and act on request of the audit 
team leader. Their duties may include ensuring that rules concerning safety and security 
procedures are known and respected by the auditors on site. They may also witness the audit 
on behalf of the auditee. Guides should not exercise undue influence or interference, except 
where, with the agreement of the auditor, the guide can provide clarification or assist in 
establishing correct information. 


4. CONDUCTING THE AUDIT 

4.1 The auditor should adopt a positive, professional and constructive approach. In common with 
this, the auditor should try to obtain a co-operative, open and honest approach from the auditee. 

4.2 To achieve these objectives, the auditor should: 

• meet the area representative first; 

• always talk to those performing the task; 

• explain the purpose of the visit; 

• be calm, polite and reassuring; 

• never talk down, never act superior; 

• speak clearly and carefully. 

4.3 Interviews are an important means of collecting information and should be carried out in a 
manner adapted to the situation and person interviewed. Flowever, the auditor should consider 
the following: 

• interviews with persons from different levels and function, and especially with persons 
performing activities or tasks under consideration; 

• whenever possible, the interview should be conducted during normal working hours and at 
the normal workplace of the interviewed person; 

• every attempt should be made to put the interviewed person at ease prior to the interview; 

• the reason for the interview and any note taking should be explained; 

• interviews may be initiated by asking the persons to describe their work; 

• the results from the interview should be summarised and any finding should be verified 
with the interviewed person where possible; 

• leading questions should be avoided; 

• the interviewed persons should be thanked for their participation and co-operation. 

4.4 The auditor should use all of his or her senses when carrying out the audit. They must keep 
their eyes and ears open! 

He or she must examine the objective evidence and ask open-ended questions. They may refer 
to their checklists and make notes. Should they discover a deficiency, they should consider the 
full impact of the problem and the actual physical conditions of the area or processes under 
audit. 


5. QUESTIONING TECHNIQUES 

There are six words that are important to any auditor. These are: 

• how 

• where 

• when 

• what 

• why 

• who 

The auditor should ask efficient, open-ended questions to elicit information. 


6. CONTROLLING THE AUDIT 

6.1 The auditor must control the audit. 

DO NOT: 

• be side tracked; 

• be led or misled; 

• get "bogged down"; 

• let the auditee dictate the pace of the audit; 

• make assumptions or presumptions. 


6.2 DO: 

• be prepared; 

• be punctual; 

• insist on the person being questioned answer for themselves; 

• as little talking as possible; 

• avoid misunderstandings; 


• keep questions clear and concise; 

• be polite and calm; 

• give compliments. 

6.3. The auditor must be prepared for, and be aware of, a range of possible occurrences during the 
course of the audit. For example: 

• aggressive auditees; 

• timid auditees; 

• missing people; 

• missing documents; 

• pre-prepared samples (always choose your own); 

• special cases; 

• local issues and cultural customs; 

• emotional blackmail. 

When faced with these situations, the auditor must act decisively, professionally and fairly, 
keeping in mind the objectives and purpose of the on-site audit. 

7. COMMUNICATION DURING THE AUDIT 

Depending on the scope and complexity of the audit, it may be necessary to establish formal 
arrangements for communication during the audit. 

An audit team should confer at least daily in order to exchange information, assess audit 
progress and reassign work between auditors as needed. 

During the audit, the team leader should periodically communicate the status of the audit and 
any concerns to the auditee and audit client, as appropriate. 

Where the available evidence indicates that the audit objectives are unattainable, the audit 
team leader should report the reasons to the audit client and the auditee to determine the 
appropriate action, which may include termination of the audit or a change in the audit 
objectives. 

Any concern about an issue outside the audit scope should be noted and reported to the audit 
team leader, for possible communication to the audit client and auditee. Any need for changes 
in the audit scope which may become apparent as on-site auditing activities progress should be 
reviewed with and approved by the audit client and, as appropriate, the auditee. 


Lecture 12 
Audit review 


OBJECTIVES 

When you have completed this topic, you will be able to: 

'»■ describe the purpose, structure, content and attendees typically at audit review meetings; 

'* *■ understand the processes of identifying and drafting finding statements; 

"*■ explain the methods for identifying nonconformities; 

'»■ describe the purpose and typical content of Corrective Action Request (CARs) 

'*■ describe the classification of CARs and the implications; 

*■ describe the use of “observations”. 

'»■ explain the further actions required for the different grades of CARs. 


KEY POINTS 

❖ Audit review meeting 

❖ Audit findings 

❖ Finding statements 

❖ Corrective Actions Requests (CARs) 

❖ Classification of CARs 

❖ Observations 

Lecture 12 
Audit review 


1. AUDIT REVIEW MEETING 

1.1 When the audit is complete, the auditor team leader must conduct a private review of the 
findings. Interim or end of day reviews may also be necessary. The review will involve all the 
members of the audit team. 

The review will include: 

• a study of notes and/or comparison of notes with team members; 

• a review of checklists; 

• the listing of findings, together with any audit evidence; 

• decisions on nonconformities and observations; 

• the writing and classification of Corrective Action Requests (CARs). 


2. AUDIT FINDINGS 

2.1 Until it is classified, an audit finding may be a: 

• nonconformity; 

• nonconformance; 

• noncompliance; 

• observation. 

A nonconformity (nonconformance or noncompliance) arises when the process or procedure 
being audited is not being conducted or completed as it should. 












2.2 


ISO 9000 defines a nonconformity as: 

The non-fulfilment of a requirement. 

Therefore, a nonconformity may be a failure to: 

• comply with the standard applicable to the organisation; 

• implement quality policy, process or documented requirements specified by the organisation; 

• implement a legislative or contractual requirement. 

If there is no specified requirement, there can be no nonconformity. What an auditor thinks should 
be done is not a specified requirement. 

2.3 Non-conformities should be recorded and supported by audit evidence. Non-conformities 
should be reviewed with an appropriate auditee representative to obtain acknowledgement of 
the audit evidence. The auditee representative’s acknowledgement indicates that the audit 
evidence is accurate, and that the nonconformity is understood. Every attempt should be made 
to resolve any divergence of opinion concerning the audit evidence, and unresolved points 
should be recorded. 

2.4 Sometimes during an audit, an auditor may identify a deficiency that is then effectively resolved 
by management before the closing meeting. In a situation such as this, provided the auditor is 
convinced that the matter has indeed been resolved, it should not be raised formally at the 
closing meeting. A record should be made by the auditor to verify that the action implemented 
is complete and acceptable. 

2.5 When are finding statements written? 

A “finding statement” is a written account of the nonconformity. 

Some auditing organisations insist on finding statements being written out immediately a 
deficiency is identified and the representative's signature obtained. However, an auditor should 
ensure that all relevant evidence is gathered before making a decision. 

The best practice is to: 

• go over the facts verbally and agree the nature of the nonconformity with the auditee, detailing 
the audit evidence; 

• make notes and consult these later to make a statement; 

• draft finding statements during a working lunch or at the end of the day, then finalise at the 
private review. 

When working as a member of an audit team, the auditor will need to review the evidence with the 
team before deciding the wording of a finding statement and its classification. 


3. FINDING STATEMENT 

3.1 The finding statement should contain: 

overview of finding; 

description of the deficiency; 
example of audit evidence; 
summary of the requirement. 

3.2 Below is an example of a finding statement, based on the deficiency identified in the example of 
a completed checklist in Appendix 22: 

Process documentation is not being implemented effectively in that not all purchase orders 
are being fully completed. For example: POs 1234 and 1235 do not show prices or delivery 
dates. 

All Purchase Orders must be completed in accordance with Instruction QI6. 

3.4 A number of similar nonconformities may be grouped by process, function, procedure or 
Standard clause into a single finding statement. 

4. CORRECTIVE ACTION REQUEST (CAR) 

4.1 This is a Form used by many organisations (see Appendix 24). It is used to describe a 
nonconformity or noncompliance and request action. It may also be known as a Nonconformity 
Report, Noncompliance Notice, etc. 

The CAR is raised after careful consideration at the audit review prior to the closing meeting 
with the organisation. 

The CAR Form is used to: 

• report nonconformities; 

• show the level or classification of those nonconformities. 

• record acceptance of the nonconformity by the auditee (usually the audited organisation’s 
representative); 

• record the actions taken to correct the nonconformity; 

• record acceptance by the auditor of the corrective action taken to resolve the 
nonconformity. 

The CAR should contain references to: 

• the applicable process, function or procedure; 

• Standard and clause number; 

• auditor’s name; 

• finding statement. 


5. CLASSIFICATION OF CARs 

5.1 The classification given to a nonconformity can vary from one organisation to another but the 

following is typical: 

• Major 

• Minor 

5.2 MAJOR CAR 

Raised where: 

• there is a total breakdown of a process or procedure critical to product quality, or in the 
effective operation of the organisation’s quality system; 

• there is a total absence of a requirement demanded by the Standard or the organisation’s 
quality system; 

• there are a number of minor lapses in a process, which when taken together, collectively 
suggest a total or important breakdown in the process; 

• the nonconformity is likely to result in an immediate risk to the quality of the product or service 
being offered. 


Raised when a deficiency (or deficiencies) have been identified in a process in the operation of 
the organisation’s quality system, but which are less severe than warrants a Major CAR. 


5.5 The classification of CARs is based upon good judgement, expertise and experience of the 
auditor, and may have far-reaching consequences. 

5.6 Consequences of raising CARs 

Should a Major CAR be raised during an initial third-party audit, the nonconformity must be 
corrected and the correction verified before registration can be recommended. 

If raised during a surveillance audit, the Major CAR may lead to registration being withdrawn if 
not corrected. 

A Minor CAR allows registration to proceed. The corrective action taken is usually verified at the 
following surveillance visit. 

If not closed, a Minor CAR will be re-classified as a Major. 

In second-party audits, a Major CARs may result in contracts being withdrawn, not awarded or 
renewed. 

Minor CARs are usually corrected and verified as agreed between the two organisations, 

The classification of nonconformities is not necessary for internal audits. CARs are meant to 
assist management in improving the system and in internal auditing, may be supported by 
recommendations to correct and improve the quality system. Audits, therefore, should be 
positive and constructive. Effective corrective action is more important. 


6. OBSERVATIONS 

6.1 Audit findings may also take the form of “Observations” or “Comments” or “Areas for 
improvement”. 

In many ways, “Observations” are the added-value part of the audit. They are the points on 
which the auditor may wish to comment but for one reason or another, are not reported as 
CARs. 

Observations may include: 

• good practices which could benefit other processes within the organisation; 

• areas of concern which are not yet serious enough to warrant CARs; 

• situations which if not addressed may give rise to CARs at a later date; 

• deficiencies for which the auditor is prepared to give the organisation the “benefit of the doubt”; 

• and suggestions for action to improve the effectiveness of the quality management system. 

Observations provide a flexible method of reporting for the auditor in that although they have no 
formal status, observations can make the difference between a positive and negative audit. 

Because Observations can add value to an audit, many organisations regard them in much the 
same way as CARs; that is, actions taken in response to Observations are reviewed and 
evaluated during future audits. 


Lecture 13 

Audit reporting and follow-up 

OBJECTIVES 

When you have completed this topic, you will be able to: 

describe the purpose, structure, content and attendees typically at closing meetings; 

describe the preparation, approval and distribution of audit reports; 

explain the roles and responsibilities for taking and verifying corrective action; 

*■ explain the steps necessary to address corrective actions; 

*■ identify the types of objective evidence that may be required to demonstrate effective 
implementation of corrective and preventive action; 

«■ understand the role of the management review; 

appreciate the steps necessary to follow-up and close out corrective actions. 


KEY POINTS 

❖ Presenting the findings 

❖ Reporting on the audit 

❖ Audit completion 

❖ Corrective action 

❖ CAR status log 

❖ Management review 

❖ Follow-up and close out 

Lecture 13 

Audit reporting and follow-up 


1. PRESENTING THE FINDINGS 

1.1 When the review is complete the auditor/team will present the findings to management at a 
“closing meeting”. 

1.2 Closing meeting 

A closing meeting, chaired by the audit team leader, should be held with the auditee’s 
management and those responsible for the functions audited. Records of attendance at the 
closing meeting should be kept. The purpose of this meeting is to present audit findings and 
conclusions in such a manner as to ensure that they are understood and acknowledged by the 
auditee and to agree the time period for the auditee to present any corrective action plan. 

1.3 For internal audits, this may be an informal process. The meeting should be constructive and 
aimed at system improvement, especially as the auditor and auditee work for the same 
organisation and have the same objectives. 

1.4 For a second-party closing meeting much more care is needed as there are contracts at stake 
and reports can be used as a future reference. It is a sensitive situation and the auditor must 
be prepared to be cross-examined by the auditee on his or her findings. 

1.5 A third-party closing meeting is usually very formal. The auditor must be aware that the 
organisation is the client and as such will expect a comprehensive, detailed and constructive 
presentation of findings. 

1.6 A closing meeting agenda will vary according to the type of audit conducted, but the following 
list, which is neither exhaustive nor prescriptive, contains typical items on a closing meeting 
agenda: 

• distribute attendance list; 


5.3 


MINOR CAR 


restate purpose and scope, including any exclusions; 







• state decision and conclusion; 

• summary of goods points within the quality management system; 

• explain major and minor CARs; 

• explain CAR form completion; 

• obtain client representative's signature on CAR; 

• explain significance of sampling technique; 

• report on observations; 

• stress confidentiality; 

• explain reporting and follow-up; 

• have auditor log signed; 

• obtain attendance list; 

• thank the client; 

• congratulate where appropriate. 

1.6 During the closing meeting, the auditor/team leader must: 

• explain all findings and evidence carefully and precisely; 

• be prepared to support and justify findings; 

• avoid being drawn into an argument; 

• apologise if an error transpires and alter or withdraw the CAR if necessary; 

• refuse the 'quick fix’ as a sole solution to the finding. The management must investigate and 
attempt to correct the root cause of the problem to prevent any recurrence. 

2 REPORTING ON THE AUDIT 

2.1 Audit report preparation and content 

The audit team leader is responsible for the preparation, accuracy and completeness of the 
audit report. 

The audit report should provide an accurate record of the audit and should contain audit 
conclusions on issues such as the following, if within the audit objectives and scope: 

• extent of conformance of the management system to the audit criteria; 

• the effective implementation of the management system; 

• the ability of management review process to ensure the continuing suitability and 
effectiveness of the management system. 

The audit report should also include, or make reference to: 

• the identification of the organisation or processes audited; 

• the identification of the audit client; 

• the agreed audit objectives, scope, exclusions and plan; 

• the audit criteria, including a list of reference documents, against which the audit was 
conducted; 

• the identification of audit team members; 

• the date(s) and place(s) the audit was conducted; 

• the audit findings. 

The audit report may also include: 

• the duration of the audit; 

• the identification of the auditee's key representatives and any guides participating in the 
audit; 

• summary of the audit process including any obstacles encountered; 

• a statement of the confidential nature of the contents; 

• distribution list for the audit report; 

• confirmation that the audit objectives have been accomplished within the audit scope in 
accordance with the audit plan; 

• any agreed follow-up action plans; 

• any unresolved diverging opinions between the audit team and the auditee; 

• recommendations for improvement. 

2.2 Report approval and distribution 

The audit report should be issued within the agreed time period. If this is not possible, the 
reasons for the delay should be communicated to the audit client and a revised issue date 
should be agreed. 

The audit report should be dated and signed by the audit team leader and reviewed and 
approved as defined in appropriate documented procedures. 

The audit report should then be distributed to recipients designated by the audit client. 

The audit report is the property of the audit client and confidentiality should be respected and 
appropriately safeguarded by the audit team members and all report recipients. 

An example of an Internal Audit Report is given in Appendix 25. 

An example of a completed third-party certification Audit Summary Report is given in Appendix 
26. 

2.3 Retention of documents 

Work documents and reports pertaining to the audit should be retained or destroyed by 
agreement between the participating parties and in accordance with audit procedures and any 
applicable requirements. 

Unless required to do so by law, the audit team and audit programme management should not 
disclose the contents of documents, the nature of any other information obtained during the 


audit, or the audit report, to any other party without the explicit approval of the audit client and, 
where appropriate, the approval of the auditee. 


3. AUDIT COMPLETION 

The audit is completed when all activities in the audit itinerary have been concluded, including 
the distribution of the approved audit report. 


4. CORRECTIVE ACTION 

4.1 ISO 9000 defines Corrective Action as: 

Action taken to eliminate the cause of a detected nonconformity or other undesirable 
potential situation. 

4.2 In processing CARs, the auditor and auditee have specific responsibilities. The auditee's 
management must, in conjunction with the management representative: 

• investigate and clearly identify the problem; 

• propose a programme of long-term corrective action; 

• agree a target date for completion; 

• introduce changes; 

• verify effectiveness by internal audit; 

• notify auditor of conformance; 

• link with continuous improvement measures. 

4.3 To resolve the nonconformity. The management of the area that has been audited will: 

• take immediate action to correct the nonconformity; 

• analyse the effects of the nonconformity on the product or service; 

• identify the root cause of the problem; 

• initiate a similar investigation into other areas where the problem may exist; 

• develop effective actions to prevent a recurrence of the nonconformity; 

• implement and monitor the corrective action. 

4.4 The Management Representative should: 

• approve the proposed corrective actions; 

• monitor progress in completing the corrective actions; 

• arrange a follow-up internal audit to verify effectiveness. 

4.5 In third-party audits, the Management Representative is asked to propose a programme of long¬ 
term corrective and preventive action. These should be sent to the auditor. The auditor should 
review the new or revised documentation and. as far as possible, evaluate the likely 
effectiveness of the proposal and discuss this with the auditee if necessary. 

5. CAR STATUS LOG 

It is useful for the organisation to maintain a status log of outstanding nonconformities. This 
could include the status of the follow-up action as well as the status of CAR from second- and 
third-party bodies (see Appendix 27). 

6 MANAGEMENT REVIEW 

The results on internal and external audits should be reported to the Management Review. 
Here the results will be analysed and the status of corrective actions reported. Further actions 
to prevent recurrence impacting on the wider business policy, customer satisfaction, continuous 
improvement programmes and measures should be identified and implemented if necessary. 


7. FOLLOW-UP AND CLOSE-OUT 

7.1 Audit follow-up 

The audit client or auditee is responsible for determining any corrective action needed to deal 
with a nonconformity. Corrective action and subsequent follow up actions, which may include 
additional audits, should be completed within an agreed time period. The auditee should keep 
the auditor informed of the status of corrective action activities. 

Corrective action should be verified in accordance with the appropriate documented procedure. 
A follow-up report may be prepared and distributed in a manner similar to the original audit 
report. 

7.2 The process of determining whether the corrective action requested has been implemented is 
called "follow-up". This can be done by reviewing documentation submitted by the client or by 
visiting the client's premises. 

The action relating to the verification and acceptance of corrective action by the auditor is called 
"close-out". 

Methods of "close-out" will include re-audit of deficient areas, where physical evidence has to 
be seen, or review of new and/or revised documentation. 

7.3 The auditor will verify the effectiveness of corrective actions by visiting the organisation by: 

• carrying out an audit of objective evidence; 

• verifying that the corrective actions have been implemented; 

• ensuring short and long term effectiveness; 

• recording details of the follow-up; 

• signing-off the forms. 






